Oct 04, 2015

I have been teaching a class on Network Security at mlab and one student asked what the state of cyber-security in the country was. In this post I explain the current state and the outlook over the coming years.

Saints

Let’s get right to it, we are in a state where a majority of businesses are in a sorry state information security wise. On the other side we have hackers with the capacity to bring these businesses to their knees should they choose to.
This is where the businesses get lucky. They are surviving potential ruin through the good will of these hackers. We are in a state where we have these ‘saints’ trying to fix the situation, but as is usually the case, the people who need their help the most instead choose to either ignore or wage wars against them.
So why would otherwise reasonable people go against the very people who are trying to help them and trample all over their advice? As with everything esle related to the human person, it boils down to pride and self-interest.
We have the IT managers and other information security personnel desperate to hold on to their jobs. Anyone who attempts to cast doubt on their competence, as they see it, is the enemy. The thought of admitting that they need help in securing their systems to their employers scares them to death (in some cases it’s business owners not wanting to look bad to their clients). This myopic view has them preferring to have their systems breached and then papering over the cracks and their bosses/clients will be none the wiser. In effect what we’re left with are vilified saints, insulated business owners/clients and IT personnel/business owners protecting their interests.
Next we have the group that is driven by pride. They are often business owners who just cannot admit something is not right. They are more dangerous and detrimental to their businesses than the previous group. Most of them suffer from the Dunning-Kruger effect which Wikipedia describes as:

The Dunning–Kruger effect is a cognitive bias wherein relatively unskilled individuals suffer from illusory superiority, mistakenly assessing their ability to be much higher than is accurate.

They will come out guns blazing should they be challenged and there is no convincing them otherwise.

Let me demonstrate an actual case I’ve dealt with:

Me: Your wireless network uses an extremely weak password. You should change it to a more complex one to make your network more secure.

Business owner: I know we have a weak password and that’s how we like it. If someone tries to hack us, I’ll use those tools and hack them back.

Denying the obvious with whatever they can come up with is a speciality they master. Unfortunately for them, this is usually their undoing when their businesses suffer irreperable damage.

Outlaws

Winter is coming The landscape is changing, we’re headed into an era of highly skilled individuals with time on their hands. We have students entering the IT field in droves. We have been having an influx of young and ambitious technical proficient people spurred on by several tech incubators over the past few years. The number of tech start-ups entering the market grows by the day.
A lot of these start-ups will fail, a lot of these skilled people ripe with ambition will lack jobs.
The low hanging fruit of inscecure businesses will be ripe for their picking. They will then probably hone their skills and move on to more advanced attacks. I see us entering an era of outlaws and the tipping point is on the horizon.
Hell hath no fury like a woman hacker scorned. Businesses have been surviving thus far because they haven’t offended the wrong people. One of these days a business will mess with the wrong hacker. We are teetering on the edge of a major local breach, one that cannot be covered up. The saints need backing before an age of outlaws overruns them.

The fix

The same things that make the state of information security so precarious are the same ones that if employed appropriately can salvage it.
Hackers too are driven by self interest and pride and that’s all businesses need to offer them to keep them on their side. Offering bounty programs to people who discover vulnerabilities is an easy and effective way to accomplish this.
Hackers love recognition and appreciation of their skills, offer them this and they’ll be your first line of defence. They’ll even notify you of imminent threats as they arise.
Deride them and they may spend the rest of their days trying to get back at you, just ask Sony.
The exponentially growing number of young skilled hackers getting into the field with time to burn will need an outlet. They will have to be jointly supported by both businesses and established professionals in creation of opportunities and in mentorship.
With that, the saints will have every chance of winning the war.